Uber bug bounty program will pay hackers up to $10,000 to find security issues

Shawn Knight

Posts: 12,999   +130
Staff member

Uber on Tuesday announced a bug bounty program that'll pay security researchers up to $10,000 in exchange for disclosing eligible vulnerabilities related to its various websites and apps. The transportation service provider is partnering with vulnerability disclosure company HackerOne on the project.

Uber said it launched the bug bounty program privately last year and invited more than 200 security researchers to participate. Collectively, the hackers-for-hire have found nearly 100 bugs to date – all of which have since been patched.

To avoid any confusion or misunderstanding, Uber has published a comprehensive list that outlines the specific types of vulnerabilities it is / isn't looking for as well as its policy on chaining bugs, privilege escalation, public disclosure, promo code / give-get fraud and microsites. They've even created a "treasure map" to help show researchers how to find different classes of bugs across its codebase.

Uber's bounty payouts range from $3,000 for "medium" issues like reflected cross-site scripting and rate limiting issues to $10,000 for critical issues. There's also a mid-tier reward for "significant" issues such as missing authorization checks that lead to the exposure of e-mail addresses, dates of birth, names, phone numbers and so on.

What's more, the company has created what it calls a first-of-its-kind loyalty reward program that will offer a bonus payout if more than four bugs are submitted and accepted by Uber within a 90-day "season." For the fifth (and each bug thereafter), researchers will receive a payout equivalent to 10 percent of the average of their rewards during the 90-day period.

Permalink to story.


Squid Surprise

Posts: 3,871   +2,929
Before you get the urge to troll this forum by saying that companies have offered stuff like this for years, I suggest reading this article - which gets a little more thorough into the difference between this program and the ones other companies like Facebook and Google do...


Kudos to Uber for understanding that no matter what, breaches will happen, and you need to be proactive in order to minimize the damage...